[Home] [Databases] [WorldLII] [Search] [Feedback] New Zealand Law Commission

[Database Search] [Name Search] [Previous] [Next] [Download] [Help]

• General
• Explanation As To Use Of Technical Terms
• Unauthorised
• Intent
• Data
• Computer
• Computer Misuse
• Interception
• Access
• Use
• Damage

2 Defining our terms

GENERAL

7 The Crimes Consultative Committee 1991 report recommended three distinct offences (see para 4). Advances in technology since 1991 have revealed additional problems which can properly be characterised as computer misuse.

8 It is important to bear in mind the purpose of the criminal law when deciding whether it is appropriate to provide criminal sanctions for such activities. Sir Carleton Allen stated:

Crime is crime because it consists in wrongdoing which directly and in serious degree threatens the security or well-being of society, and because it is not safe to leave it redressable only by compensation of the party injured (Smith & Hogan 1992 16).

9 The types of computer misuse identified in paras 24–29 of this report can be characterised as wrongdoing which directly, and to a serious degree, threatens the security or wellbeing of our society which is increasingly reliant on computers to process, record and transfer information for the purposes of both business and social services. There is a need to deter people who may otherwise be inclined to engage in computer misuse and to punish those who do. In that context we address the continuum of conduct which we believe should be encompassed within any criminal law dealing with computer misuse.

10 After consultation with members of our Advisory Committee, we have formed the view that there are four distinct elements with which any criminal law concerning computer misuse must deal. These elements are unauthorised:

• interception of data stored on a computer;
• accessing of data stored on a computer;
• use of data stored on a computer; and
• damaging of data stored on a computer.

We now explain the type of conduct which we intend the terms set out in para 10 to cover.

Explanation as to Use of Technical Terms

11 Various types of conduct should be encompassed within the category of unauthorised interception, access, use and damage of electronic data. We propose to use terms conveyed to us by the technical members of our Advisory Committee which, we are told, are commonly understood by those who use computers and are sufficiently proficient to engage in computer misuse. These terms will, obviously, require translation into a form of language which can be included in a statute should our recommendations be accepted.

Unauthorised

12 The term “unauthorised” is intended to mean: without the express or implied consent of the person entitled to control access to the data. We intend the term “implied consent” to mean consent inferred from proved words or conduct. By defining the term in that way:

• those who access the information with express or implied consent (for instance, computer repairers); or
• those who access the information for a lawful purpose (for example, law enforcement officials executing search warrants)

will not be caught by the criminal law.

Intent

13 We consider that the offence of unauthorised access should require an intent:

• to cause loss or harm to the person entitled to the data or to some third party; or
• to gain some form of benefit or advantage either personally or to a third party.

In our view, an intent to cause loss or harm, or an intent to gain a benefit or advantage is needed to avoid trivialising the criminal law by making every unauthorised access a criminal offence. The requirement of such an intent will mean that those who gain access simply to achieve the prize of access will not be criminally liable for their actions. As we have not suggested that a similar intent be required for the offence of damage (see paras 22, 23 and 93), a person who obtains unauthorised access without an intent to cause loss or harm or to gain a benefit or advantage will still be liable for the offence of “damaging” if damage is caused through careless conduct. We are also of the view that the terms “loss or harm” and “benefit or advantage” need to be given wide meanings so that they relate to both potential and actual, loss, harm, benefit or advantage. They should also extend to losses and benefits which go beyond pecuniary ones.

Data

14 The word “data” is intended to include all types of information stored on a computer, including the programmes which run the computer as well as personal information.

Computer

15 We have considered how best to define the term “computer”. We note that the Attorney-General’s Department of Australia, the Law Commission of England and Wales and the Scottish Law Commission (in their reports in relation to computer misuse) all recommended against defining the term “computer”. We note that:

• First, computer technology is advancing rapidly and any definition would quickly become obsolete. In that regard the likelihood of technological obsolescence creates an added incentive to avoid technological or media specific language in any statute dealing with computer misuse.
• Secondly, any legal definition of “computer” is likely to be complex and will probably produce extensive argument about the true meaning of the words used.

For these reasons we are of the view that it is best not to define the term. We intend that the term be interpreted in a wide sense so as to include any future technology of similar kind not yet in existence.

Computer Misuse

16 The term “computer misuse” is technology-neutral. The definition does not refer to any particular method of communication. Also, the definition does not limit “computer misuse” solely to land based or long range activities. The definition we have proposed covers both the situation where an individual gains access to a computer from a distance as well as the situation where a person accesses a computer by making physical contact with the computer.

Interception

17 The first category of misuse is the unauthorised interception of electronic data. This is where a person eavesdrops so as to pick up information in the course of being transmitted to, or received by, a computer or intercepts the emanations from a computer and transforms those emanations into a useable form.

18 Examples of unauthorised interception of electronic data include:

• • communication channel interruption and pass through – where the channel is physically breached and the attacker siphons off (or records) data and passes it back to the channel so that the data can continue to the original destination. The receiver would normally be unaware of this type of interception;
• • diverting a transmission via a duplicate channel –physically splitting the signal so that two or more copies are being transmitted simultaneously, one to the original destination and one to the attacker;
• • packet sniffing – intercepting, analysing or recording communication packets (fixed size blocks of data which are transmitted over a communications channel) without altering the intercepted packets. The tools to accomplish this are freely available on the Internet;
• • scanning – probing of network ports to ascertain the state of each port. The state of any given port is in indication of whether that port might be an avenue of successful entry or attack. Sample tools for accomplishing this are SATAN (Security Audit Tool for Auditing Networks) and ISS (Internet Security Scanner). There are many other tools freely available on the Internet;
• • electromagnetic emanations – surreptitiously gaining emanations via an induction coil, radio receiver or other device and translating them into usable forms.

Access

19 The second category of misuse is the unauthorised accessing of data stored in a computer. This is where a person without authority, whether through physical or electronic means, accesses data stored on a computer. Examples of this are:

• masquerading – identity theft (impersonation), document and message forging. This includes all situations in which impersonation or forgery of data occurs;
• password cracking – attacking systems and guessing passwords or gaining access to password files and analysing them to derive valid passwords to gain unauthorised entry to a system;
• spoofing – forging packet addresses so that the message appears to have originated from a “trusted” source;
• use of valid passwords – using another’s password to gain unauthorised entry to a system;
• employee access – where an employee gains unauthorised access to information.

Use⁵

20 The third category of misuse is the unauthorised use of data stored in a computer. The term “use” covers two distinct types of activity. The first is where a person without authority gains access to data stored in a computer and then goes on to use that data in an unauthorised way. The second type of activity is where a person plays no part in gaining unauthorised access to data but, nevertheless, receives and uses the data in an unauthorised way. This second situation is akin to receiving rather than theft. We see the term “use” as covering both intellectual uses of data as well as physical uses.

21 In the context of the criminal law, we consider that fine distinctions should not be drawn between the use of information which is properly regarded as intellectual property and information which is not currently regarded as property. Later, we suggest (in para 36) that information may need to be redefined generally as a property right for both civil and criminal law purposes. In the context of the criminal law, we are of the view that such fine distinctions are undesirable in principle and will create uncertainty in practice. For that reason, we recommend that any computer misuse statute be worded specifically to over-rule the effect of Malone v. Metropolitan Police Commissioner (No 2) [1979] 1 Ch 344, which held that no duty of confidence attaches to information acquired by interception of a telephone conversation. We will address the question whether the civil law should regard information as a property right in our second Electronic Commerce report (see, generally, Electronic Commerce Part One: at paras 158 –166, attached as Appendix C).

Damage

22 The final category of misuse is damaging data stored on a computer. “Damage” is intended to cover the entire continuum from denial of data through to modification of data stored in a computer through to destruction of that data. Given that continuum, it is clear that some types of damage (eg alteration or deletion of data) could be carried out both with and without authority. It is not proposed to criminalise authorised conduct. Further, the term is not intended to be limited to permanent damage and would include temporary damage to computer data. This category covers both the “direct” and the “indirect” damaging of data. Examples of “direct” damaging of data are:

• “hacking” into a computer and deleting data;
• adding a “virus”, a “worm”, a “trojan horse” or a “logic bomb” to a computer system (see Appendix B for definitions of these terms); and
• using an electromagnetic or high energy radio frequency to destroy data stored on a computer.

23 Examples of “indirect” damaging of data are:

• writing a harmful “virus” on to a computer disk intending that someone else will use the disk and thereby introduce the virus into a computer;
• entering a password or otherwise blocking legitimate users from being able to access data;⁶ and
• denial of service attacks where a person sends many messages at an Internet Service Provider blocking any other transmissions from getting through.

The second and third points are examples of what we have termed “denial of data” in this report.